#10108: fix: override stale Anthropic OAuth stealth headers for Opus 4.6

## Summary - Fixes HTTP 404 `not_found_error` when using Anthropic OAuth tokens (`sk-ant-oat01-*`) with `claude-opus-4-6` - pi-ai hardcodes `claude-code-20250219` in the `anthropic-beta` header during OAuth stealth mode, which is too old for models released after that date - Overrides the stale headers at the OpenClaw `streamFn` wrapper level (same pattern as existing OpenRouter attribution headers) by injecting updated `anthropic-beta` and `user-agent` values via `options.headers` - Only activates for OAuth tokens (detected by `sk-ant-oat` prefix); regular API keys are unaffected ## Details When OpenClaw uses an Anthropic OAuth token, pi-ai enters "stealth mode" and mimics Claude Code v2.1.2 with the `claude-code-20250219` beta header. Anthropic's API rejects requests with this old header when targeting `claude-opus-4-6` (released 2026-02-05). The fix adds a `streamFn` wrapper in `extra-params.ts` that detects OAuth tokens via `getEnvApiKey("anthropic")` and injects updated headers (`claude-code-20260205`, Claude Code v2.1.33). These override pi-ai's hardcoded values through the existing `mergeHeaders(…, model.headers, optionsHeaders)` precedence chain. Fixes #9938 ## Test plan - [x] Existing tests pass (4/4) - [x] New test: OAuth token triggers header override with correct `anthropic-beta` value - [x] New test: Regular API keys do NOT trigger the override - [x] `pnpm build` succeeds - [x] `pnpm check` (lint + format) passes - [ ] Manual verification with live OAuth token and `claude-opus-4-6` 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds an Anthropic-specific `streamFn` wrapper in `src/agents/pi-embedded-runner/extra-params.ts` that injects updated `anthropic-beta` and `user-agent` headers when an Anthropic OAuth token is detected, mirroring the existing OpenRouter header-wrapper pattern. It also extends `src/agents/pi-embedded-runner-extraparams.test.ts` with unit tests asserting that OAuth-like keys trigger the override while regular API keys do not. The change fits into the embedded Pi runner by augmenting `applyExtraParamsToAgent` to optionally wrap the agent’s `streamFn` with provider-specific behavior (extra stream params, OpenRouter attribution headers, and now Anthropic OAuth stealth header overrides). <h3>Confidence Score: 3/5</h3> - This PR is close but has a couple of correctness gaps around OAuth detection and env key resolution. - Core approach (wrapping streamFn to override headers) is localized and aligns with existing OpenRouter header injection, and unit coverage was added. However, OAuth detection currently uses a substring match and the wrapper reads `getEnvApiKey("anthropic")` rather than the codebase’s Anthropic env precedence (which prefers `ANTHROPIC_OAUTH_TOKEN`), so the fix can fail to apply or apply unexpectedly in real configurations. Tests also risk env leakage on assertion failure. - src/agents/pi-embedded-runner/extra-params.ts; src/agents/pi-embedded-runner-extraparams.test.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} **Context used:** - Context from `dashboard` - CLAUDE.md ([source](https://app.greptile.com/review/custom-context?memory=fd949e91-5c3a-4ab5-90a1-cbe184fd6ce8)) - Context from `dashboard` - AGENTS.md ([source](https://app.greptile.com/review/custom-context?memory=0d0c8278-ef8e-4d6c-ab21-f5527e322f13)) <!-- /greptile_comment -->